Not all of the changes to Android 5.0 Lollipop are meant to be seen by regular users, but that doesn't make them any less important. One of the core components of the operating system is about to break free from the shackles of firmware updates and join the Play Store and Google Play services in receiving automatic updates directly from Google. As of Android 5.0, the WebView component will be a distinct apk, allowing it to be upgraded separately from the OS. Not only will this ensure important security updates find their way to our devices, but it will also make new features and APIs available to developers of applications that rely on WebView.

For those who aren't familiar with WebView, it's a component developers can use within their apps to display web content without launching a separate web browser. WebView is incredibly useful and powerful when used in the right applications, but it has also gained a bad reputation from developers that bundle it with nothing more than a few web pages and some javascript, usually resulting in something much slower and less efficient than a comparable native app.

Last year, with the release of Android 4.4 KitKat, the WebKit-based WebView was abandoned in favor of Google's own Chromium project. While this was generally seen as a good move to improve security and functionality –albeit, with a few notable tradeoffs– it didn't resolve the bigger issue: that security patches were still tied to official releases of the OS. Since the vast majority of phones and tablets are dependent on updates from manufacturers, known bugs and security exploits continued to exist on current flagship devices for months, and may never be fixed on older devices. Just days after KitKat was released, the Chrome Developer team acknowledged the problem and their intent to move toward a system of regular updates.

Even Nexus devices, which receive Android updates directly from Google (usually) within days of a new release, are running outdated versions of WebView. The last official version of Android to update its version of Chromium was KitKat 4.4.3 in June, which moved to M33. (Note: M33 was already 6 months old at the time.) It's been 5 months since that update, and Chromium is up to M39. OEMs can always choose to update the WebView manually in their own firmware releases, but this is inconsistent, and still allows their devices to become outdated on a different version.

Devices running Android 5.0 will still include a version of WebView bundled as a system app, but it is now an apk that can be updated separately from the OS. It uses the same mechanism that automatically updates the Play Store and Google Play services, a process that happens in the background without relying on users to update manually. The implications of regular updates go beyond simple security fixes, but may also bring performance and usability improvements, and even open up new APIs for developers to use in their own apps that otherwise may never have come to older versions of the OS.

The Chromium-based WebView included with the recently released Lollipop Developer Preview is tagged M37, and includes support for WebRTC, WebAudio, and WebGL. This is still a little behind the current version, M39, released in September, but it may be updated for the official release. The open source Chromium project generally releases new versions about every 6 weeks, but rollouts may not happen immediately, depending on how testing is to be done prior to release. The important thing is that we'll always receive regular updates and never again have to worry about gaping security holes that have been around for months, or even years.

This is a massive step forward for Android, the more of this they can manage to pull off the better.

Shade

If they could decouple the status bar/notification shade, I would be pretty okay with moving to a non-Nexus phone.

Eran Murat

What do you mean?

Japzone

He means making it so that you can pretty much replace any piece of the UI with some Third-party, like you do with Homescreen and Keyboards.

didibus

And the settings app.

AustinBlythefca

my Aunty Quinn recently got a fantastic red Mercedes-Benz C-Class Coupe just by some part-time working online at home. visit the website...>> -> CAREER IN FREELANCING!!! <-

Cody Curry

This is a potentially major security issue, though. You're feeding all notifications through one application.

Japzone

Not any riskier than replacing your Homescreen and Keyboard. Apps can already access Notifications using the Accessibility and Admin settings. I use Pushbullet all the time. If I can trust it, I can trust some third-party app to actually show the Notifications on my phone.

Artur Łukasz

Android system icon, from froyo to lilipop xD

Victor Souza

right!!
that needs to go

Crispin Swickard

It looks so LG when your scrolling through the app list... Also a few other ones like calender storage, and such. Hopefully these are some of the things that will be addressed between now, and final release. System stability seems very good though currently. The only real visual issues may have been from my launcher.

thartist

Ha! Why is it so hard for big companies to update icons? (I'm thinking Microsoft with Windows and Metro) ...Especially after a whole world was made of Material design...

Vinícius Souza

This guy already has Nexus 6 hands on. Told AP through Twitter, but they just ignored.

In most cases, if we don't respond to something on Twitter, it's because we just didn't see the interaction, not because we're purposely ignoring it for some reason. That said, I don't really see any new information in this video.

Vinícius Souza

Sorry to disagree, but this is the first video comparing it side to side to it's most powerful phablet competitor. Also, maybe it's the first hands on video of Nexus 6. Didn't want to be disrespectful, but yes, I think it is relevant.

Mlibbey

As a lover of the Nexus 6, I unfortunately have to agree with Liam. He really didn't tell us, show us anything but his opinions. Yes, it's the first video of the 6 on camera but he literally shows us NOTHING that we don't already know

Vinícius Souza

For months and months people argued here about it's size and were desperate to see a real size comparison to have a real idea of it. Now that finally there is a video about it, it's not relevant?! I just was willing to help, sharing something I found out. But since I'm being so annoying, be sure guys next time I will keep my finds just with me. Cheers.

Mlibbey

Don't get me wrong i watched the video and liked it, I just don't think it had enough new info that AP would made a post about it

Justin W

I think you're forgetting all of the image comparisons some CAD gurus threw up on reddit and in the comments around here on different articles. The size is known and, while the video gives us the first "hands-on", it's sole purpose seems like it was to tell us exactly what the device already has (which we know from previous articles on different Android blogs, as well as from Google themselves). The video shows us nothing new or that wasn't already known.

Vinícius Souza

I remember perfectly all that great CAD comparisons. It was just because of that I thought it would be great to all of you finally see the real life comparison both beside it's most powerful competitor and related to hands hold on thing. When he does a full review I hope it will bring relevant information.

jonathan3579

Someone is getting a little butthurt over nothing. That video has been posted on several articles already. Yes, it shows a live device, sorta, but it was really nothing to get excited about.

Eisenhorn1976

Hey -- I appreciate what you posted. I just got my Note 4 the other day and it looks like the Nexus 6 is EVEN BIGGER. Sure it's 0.3" bigger but in practical use, it's probably not that big of a deal, especially since the software buttons take-up a non-inconsiderable portion of the screen.

Vinícius Souza

I share your thoughts! I have a Note 3 and it's width is slightly bigger than Note 4, so it wont be a big deal dealing with Nexus 6. The unique thing that's freaking me out a little bit is that big curved back part of the device. Never used one like this, so don't know how would be when resting on the table. Probably it's not really practical to use or try to type without getting it on hands. And, also, probably it will look bigger when laying on a table, since the sides will be above the central back part, that seems pretty big. All Galaxy phones I used were thin also (S II, Note, Note II).

You have to understand that Twitter, of all places, is really fast-moving, and during busy times, we just can't keep up. Heck, my inbox is still several hundred emails deep, but the best way to get us to see a tip is by sending it to the tip line - at least then one of us is much more likely to see it.

Having said that, I did see this link being thrown around and just like Liam, I watched it and decided it didn't offer anything compelling to make a post about it.

Vinícius Souza

Ok, Artem. No problem.

Gustavok

I'm yet to see a commenter that annoys more than you.

Vinícius Souza

Pretty sad to read this. Really. I'm not being ironic. But if I annoy you so much, just ignore me. Don't need to offend myself. Cheers from Brazil also.

Spasillium

The sad part about this is people who have no clue what this is will go on to the Play Store, leave 1-star reviews, and cry something like "this is a nexus! why is this crap preloaded on my phone!? it does nothing and i'm forced to have it!"

Victor Souza

like Talkback when it broke free from the system, the reviews are a mess, full of people thinking it's a spyware
but this one won't go to the playstore, it'll get updates like Play Services, so no worries

I can't speak for Google with absolute certainty, but......... Not a chance. As far as I can tell, it would require an update to KitKat (or whatever version) to have it recognize that there could be an apk replacing the WebView functionality. And that's not as trivial as it sounds. This is really just an improvement to Android 'going forward.'

Martin Nilsson

I can jump in an confirm this for my old phone running ICS. I intended to keep it around to use for casting YouTube, Play Music and Netflix as well as to do Hangouts when I need to. I have around 300-350 MB of space on that phone and Play Services has now climbed to over 100MB. I have that and Hangouts on the phone, rest don't fit (it needs about 100MB of free space to update apps). Phone rendered useless by Google, it's a good idea but on that phone it truly is a menace.

Justin W

Why would they? If the user tries to remove it, they're only doing self-harm, and then again, 2.3 should even have a way for them to uninstall Play Services (maybe it does, I don't recall). It's just a simple fact of those that aren't educated having no idea what they are talking about at a detriment to the company who gives them the devices they are using every day.

Thomas’

Yeah, but so what? The reviews are meaningless anyway since it'll already be installed on all new devices. They won't stop anyone from installing it.

Jadephyre

Well, you can refuse to update, and some people will no doubt do that out of ignorance, never getting the most up-to-date version and putting their security at risk, potentially.

bookwormsy

That sucks for them in that case. But functionally, it wouldn't be different from what <= KitKat has. It'll have the basic unupdated version that wouldn't be updated until the next OS update if the user refuses to update.

Thomas’

If it works the same way as Play Services - no you can't. The Play and the Services app get updated automatically. You might deinstall it, but it'll return later.

Japzone

That's what I was thinking. Play Services is updated silently, and you can't actually even get to it on the Play Store without searching for it using Google Search. No reason Google can't do the same with this, as it is as much of a security requirement as updating Play Services is.

abobobilly

Excuse my ignorance, but what exactly is it? Is it just needed for internet access on an Android device, or does it have a more broader usage? I mean, help me understand how making it available on Play Store is a good thing, kindly :)

As for those people who DO leave a 1 star review of the apps they don't understand, well lets just they might be 'children', or may not have enough education to decide between simple right and wrong. I for one would contact the developer first, incase of a problem with the app ... before leaving a useless review. Reviews are supposed to help people about the product, not project the writer's own ignorance.

DonEmu

This is what allows things like twitter apps, flipboard, newstand .etc. to open a browser instance within the app itself without actually opening chrome or whichever browser you use.

The advantage to moving this to the Play Store is that Google won't need to update the entire OS in order to give you the newest version of this, they could just update silently like they do Google Play Services.

abobobilly

Thanks for making it simple.

Chris Monteiro

Another way to understand it to is to compare it to Chrome. Chrome gets updates all the time (since it's in the Play Store). It's always secure, while Webview is separate from that, and uses a browser instance that is pretty much never updated. Also while Chrome gets performance improvements, Webview is still the same old thing (until now).

Tiago Pestana

What about hyperlase? Does anyone know if with the new version of Android and the new APIS for the camera, we can get the app anytime soon?

DonEmu

Ask the developers.

Erland

What's up with full disk encryption on 5.0? I thought Google said 5.0 would be encrypted by default but the option to encrypt device is still in security settings? Also something weird I noticed is that 5.0 doesn't require you to have a pin or password lockscreen when you encrypt your device. In previous versions of Android it was required and you had to input the pin or password on boot. You can actually choose to encrypt your device with no lockscreen or even slide to unlock and when you boot up you aren't required to decrypt the device. I don't get it. Why allow you to encrypt your device when it will decrypt on boot all on its own? Seems like it is a way for Google to say 5.0 is encrypted but it is really useless

Felipe Pimenta

Might not be the right answer, but my guess is that, first, NEW devices will be encrypted by default, not updated devices. Second, maybe because it's a Developer Preview. It should work as expected on the final release.

You're mixing up a few details, so I'm going to hit a few individual points.

A. As you said, encryption will be on by default. That doesn't mean it can't be turned back off if you choose to disable it. Therefore, the option should still remain in Settings.

B. Disk Encryption shouldn't have to require a secure lockscreen if the user doesn't want it to, especially if it's going to become a default on 5.0. Not everybody wants to be forced to perform extra steps each time they pick up their phone.

C. The encryption Google was referring to in the article by the Washington Post (our coverage) relates to devices that include hardware-level encryption, which doesn't seem to include existing hardware. The reason I point this out is because existing devices will likely differ in a few ways from upcoming hardware that is designed to take advantage of this feature.

Erland

So the encryption Google is referring to in the Lollipop features list is a new hardware based implementation?

In regards to point B, if full disk encryption is enabled but you are not required to decrypt on boot with a PIN or password, I fail to see what practical purpose it serves. My understanding is that the current implementation only encrypts the filesystem when the device is shutdown and decrypts a single time on start up. What good is encrypting your device when someone who gets their hands on it can simply turn it on and have full access to the filesystem

You did it again. Requiring a password at the time the device boots is different from requiring a password at the lockscreen.

This could become a whole blog post, because it stretches into a litany of other topics and related discussions, but I'm just going to keep it simple... There are a lot of people that won't buy a phone if they don't have the option to turn off the password at the lockscreen. I'm one of those people. I will enable security when I leave my house, but not when I'm at home.

Also, I must stress a detail that I've seen misquoted and frequently repeated. Your data is not "decrypted a single time on start up." With full-disk encryption, the user data is always encrypted 100% of the time on the disk (in this case, flash memory). When a process on the device needs to read some data, only that data is decrypted, and it only goes into RAM, so it's never sitting decrypted on storage. The whole process is seamless from a user's perspective, but it is happening.

Erland

Thanks for clearing that up. This seems like a much more useful and practical implementation then what I had previously thought and makes much more sense.

Gerad Munsch

This is purely just my personal speculation, but I've put some thought into this.

Encryption (obviously) needs private keys. To make encryption, by default, work for a "normal user" (who doesn't want to enter their password at each boot, or use a PIN/password lockscreen), there would need to be a way to generate private key material, and keep it secure.

This seems to be about the only way I can think of that this could possibly work, as we *know* that private keys must remain private for encryption to be viable.

Any opinions?

marcel

Basically it is like the good old truecrypt that encrypted/decrypted data on the fly, however i am still kind of confused on how this encryption is implemented.

From my understanding, without a boot password (not a lockscreen pin/password (!!!!)) the default encryption seems useless, because as long as the device can decrypt your data, anyone that gets their hands on it can a swell.

The only practical use i would see for the system encryption would be if you had to enter your decryption password every boot which then gets stored in ram or on your device and used for all the encryption/decryption processes (just like truecrypt did)

The lock screen wouldn't even have anything to do with the encryption anymore, because the lock screen isnt used for the encryption process at all, its just a... lock screen.

Naturally, I agree about the lockscreen just being a lockscreen. The original implementation was bad because the two were tied together when they shouldn't have been.

I don't have enough information about how the boot process occurs with encryption enabled, but Gerad Munsch's comment (link) would make a lot of sense. I can imagine other ways to achieve this given different criteria, but we'll have to wait to be sure.

Simon Belmont

Thanks for the explanation, but I have a question for you about it. If the device encryption used in Honeycomb through KitKat required a PIN or password upon boot, used as part of the encryption key no doubt, then if Lollipop isn't prompting for a PIN or password at boot, where is that encryption key being obtained from? Some random number? I mean there has to be some kind of entropy to make the encryption strong.

I know you mentioned hardware level encryption for newer devices (like how iOS devices use hardware level encryption), but where does this leave older devices like the Nexus 5 and other current Nexus devices? The OP of this thread mentioned no PIN or password was required at boot, and the N5 probably doesn't have hardware level encryption capabilities, so that's what my question stems from. How can it encrypt and not require a PIN or password at boot, when it always used to for older version of Android? Is it just some new method of device encryption? By the way, I agree with you completely that there should be an option to turn it off and it shouldn't require a secure lock screen (though I'd probably use a trusted device with mine with encryption turned on).

I haven't turned on encryption on my N5. Does it not ask for a password at boot time on Lollipop?

Regarding the newer devices, I don't have enough information about the implementation in front of me. Since they haven't been released yet (except for a random few floating around at some events), I doubt anybody but an engineer with familiarity on the project could answer that. Once the devices are out or AOSP is updated, I think we'll get that answer pretty quickly.

SYSYEM_DOWN

why oh why doesnt android limit the number of wrong pin attempts.with encryption enabled it just makes sense to limit lock screen attempts and shut the phone down after a set amount of tries.if some one is trying to access your phone by guessing the pin the phone would shut down and be encrypted the person who is trying to access the phone has now completely locked it down and can not gain access to any personal data

Burner2k

This is not related to the above post, but I was wondering if AP could do a run-down of Material designed Google apps like Gmail, Maps, Keep etc from final L preview?

Adrian Meredith

the l preview doesnt come with any new apps apart from dialer and clock. In fact its bundled with the old 1.x android music app. Looks like we'll see those apps at the same time everyone else does

Simon Belmont

Sadly none of those apps are present in the preview. If they were we'd be hearing about it big time on AP.

Those apps will all debut when Lollipop officially rolls out to devices in early November. I'd wager that even the FEW Material Design apps that we HAVE seen in this Preview are not final, and will be updated on the Google Play Store with the remaining finishing touches and features upon the aforementioned launch of Lollipop.

Sergii Pylypenko

About damn time. Next thing to do is to make it possible to choose Firefox as the default system-wide WebView, that will require another OS update unfortunately.

Tarun Pemmaraju

Wouldn't that be horrible for developers, since they would have to worry about multiple rendering engines in their app as opposed to being guaranteed to work?

Sergii Pylypenko

Nope, you only need to ensure your app works well with the default engine.

But it will be great for users, because of diversity and Adblock.

DonEmu

Do Firefox and Chrome use the same engine? If not then the guy above you has a point. Apps would then have to cater to multiple rendering engines since you're basically changing the default engine from the one in Chrome to the one in Firefox.

Sergii Pylypenko

No, and that is the point - some sites work better in Firefox, some - in Chrome.

If they do it as a per-app setting, everyone will be happy - apps will not need to cater to every engine, they only ensure they are working fine with Chrome, and users have themselves to blame if Firefox engine won't work. And they can change it back of course.

They did this years ago, Adobe abandoned Flash for Android and is abandoning Flash altogether in the future.

It'd be a waste of time to develop again.

Crispin Swickard

Adobe offered itself separately, but they could fold it into webview/Chrome like desktop Chrome. Since they can update it much faster, and all. Adobe could be to blame with the state of things. Sideloading the last available version that was not very stable especially switching to full screen video is not the best solution. If the internet would stop using it so much it wouldn't be a problem, but its still a necessary evil at this point.

Jason

But bringing Flash to mobile Chrome is no way to resolve that evil. I don't care much for Apple, but one thing I really appreciate is their refusal to allow Flash on their mobile devices even when it was more widespread than it is now. The reason Flash is on the decline is because mobile platforms do not support it.

There are lots of sites that still use it, but thankfully the number is shrinking by the day, and the total count is MUCH lower than it was even a year or two ago. Flash is a best left by the wayside because it belongs in an era that's long since passed by.

Jadephyre

The problem is also that WebView/Chromium is open source while Flash is not and never will be. Folding it into WebView/Chrome would mean Google has to license it from Adobe, which would cost them money which in turn would make phones more expensive.

Bala

thats an incredible step by google... i wish the move out more system components to store similar to this

It's not impossible, but it's incredibly unlikely. Google open sourced Chromium for a number of reasons, and it's used extensively in Chrome OS, the Chrome browser on every platform, and now as the WebView on Android. Attempting to close the source would introduce a lot of other issues.

If a competitor chooses to fork Android, this unbundling of the WebView is not going to cause any problems for them. They'll still be able to download and build their own version, though, it might require a little more work.

Kenny Strawn

Start using Play Services to deliver kernel/ART/user interface updates, and then we'll talk...

Oddsock

Fragmentation would finally be solved.

Kurleigh Martin

This article is a bit disingenuous....how many devices will actually get Lollipop and this cool new feature.....not many and not quickly. The problem still exists

Ibrahim Yusuf

For now. but every Android version going forward will have it, and then in a few years it's now a problem anymore.

Ehh, no... This is an article about a new feature *of* Android 5.0, not about something that is being backported to KitKat or earlier, or can be downloaded and installed regardless of version. There's nothing misleading or disingenuous in that.

As for device updates and the dreaded fragmentation argument which you're effectively calling up... Yeah, devices eventually get left behind, it happens. However, Motorola has already committed to bringing its 2013 and 2014 devices up to Lollipop. HTC has done the same for both versions of the HTC One (m7 and m8), the latest Desire, and I think a few others (I haven't kept close tabs). Samsung, too, is surely going to bring most of its flagships up to date if they are under 2 years old (and possibly some older). No doubt most of the other major OEMs will be doing the same.

In fact, it's ironic that you are trying to take issue with device abandonment, because this change actually improves that situation. Devices that make it to Android 5.0 will continue to receive WebView updates even after the manufacturer ceases to release newer firmwares. Sure, there is older hardware that has already been abandoned, but that ship has already sailed. At least something is being done for every device in the future.

Oddsock

Yeah, at the very least its good Google is doing this now to future-proof.

The value of raw AOSP is a complicated subject, one that I'm sure Amazon, Blackberry, Microsoft, and a few other companies would comment on if they were more apt to share public commentary of that kind. Plenty of companies are making use of the code in their own ways, but it is increasingly requiring more time and money to build something usable and marketable.

However, in this particular instance, the relevant details is that Chromium is fully open source. Google is not abandoning an old version of an open source app only to replace it with a closed source variant. If somebody decides to fork the OS, they're free to download the exact same source code that Google uses, package it up, and distribute it in the same way. As I mentioned in another comment, there will probably be a bit of extra plumbing to make the code work, but that stuff should be fairly trivial to implement and irrelevant to how the finished product operates.

tl;dr – Google isn't doing this to screw with anybody that chooses to fork Android.

Sicofante

Thank you very much. It's clear now that this is not a case of closing an open source service and replacing it with a closed one, so I'm relieved. I keep an eye on this because I'm a CyanogenMod user with no gapps installed.

Kehnin Dyer

ableist webviews. They really need to be treated as a transparent element to android and all the stuff inside should be treated like their native counterparts.
having looking into it from a blind person perspective, webviews single handedly make Android unusable. it is horrible and needs fixing.
Hopefully this change will allow updates to come to this much needed area of functionality.

John Smith

Good thing too because when it comes to HTML5, the webview is a fragmented piece of shit that I hate to work with